Bug#795450: iceweasel: major exploits against current firefox in the wild

Richard Jasmin frazzledjazz at gmail.com
Fri Aug 14 03:55:07 UTC 2015 

Package: iceweasel
Version: 38.1.0esr-3
Severity: grave
Tags: upstream security
Justification: user security hole

There are recent reports as of last week on wired magazine homepage under
"technology" and "recent hacks while away at defcon" that exploit firefox in
major ways.Both windows and Linux users were targeted and information was
retrived that should not have been able to be retrieved.Running any less than
the experimental build leaves people vulnerable to this issue. More details are
on the wired website. Reccomend immeadiate update to experimental build version
to fix this. I cant see why depends would break but this needs some testing to
see if anything would break with the update.

In the meanwhile users can always install firefox latest in a non-root location
(home folder) and run it from there.This should in theory work as the debian
depends for experimental version are a non issue.I believe the file is pre-
compiled binary as released. Anything designed for ubuntu werewolf or less
should run just dandy on stretch.

As we are open source, we need to patch/update and diseminate(backport) things
like this (to mainstream linux community [Fedora/RHEL/Ubuntu/project
maintainers]) as they are discovered.We dont have time for major exploits to
hit Linux and go unreported.

I believe this is an upstream bug. As the exploit has already leaked, Private
BTS reporting is moot point.I only discovered the issue as an already "in the
wild" bug.Did not discover the exploit myself.



-- Package-specific info:

-- Extensions information
Name: Advanced Cookie Manager
Location: ${PROFILE_EXTENSIONS}/cookiemgr at jayapal.com
Status: user-disabled

Name: BugMeNot Plugin
Location: ${PROFILE_EXTENSIONS}/{987311C6-B504-4aa2-90BF-60CC49808D42}.xpi
Status: enabled

Name: Default theme
Location: /usr/lib/iceweasel/browser/extensions/{972ce4c6-7e08-4474-a285-3208198ce6fd}
Package: iceweasel
Status: enabled

Name: Disable Anti-Adblock
Location: ${PROFILE_EXTENSIONS}/{d49a148e-817e-4025-bee3-5d541376de3b}.xpi
Status: enabled

Name: Disable DHE
Location: ${PROFILE_EXTENSIONS}/5aa55fd5-6e61-4896-b186-fdc6f298ec92 at mozilla.xpi
Status: enabled

Name: Disconnect Search
Location: ${PROFILE_EXTENSIONS}/search at disconnect.me.xpi
Status: enabled

Name: Easy Youtube Video Downloader Express
Location: ${PROFILE_EXTENSIONS}/{b9acf540-acba-11e1-8ccb-001fd0e08bd4}.xpi
Status: enabled

Name: Foobar
Location: ${PROFILE_EXTENSIONS}/foobar at unnecessarilylongurl.com.xpi
Status: enabled

Name: Greasemonkey
Location: ${PROFILE_EXTENSIONS}/{e4a8a97b-f2ed-450b-b12d-ee082ba24781}.xpi
Status: enabled

Name: HTTPS-Everywhere
Location: ${PROFILE_EXTENSIONS}/https-everywhere at eff.org
Status: enabled

Name: Long URL Please
Location: ${PROFILE_EXTENSIONS}/longurlplease at darragh.curran.xpi
Status: enabled

Name: NoSquint
Location: /usr/share/mozilla/extensions/{ec8030f7-c20a-464f-9b0e-13a3a9e97384}/nosquint at urandom.ca
Package: xul-ext-nosquint
Status: enabled

Name: PassIFox
Location: ${PROFILE_EXTENSIONS}/passifox at hanhuy.com.xpi
Status: enabled

Name: Perspectives
Location: /usr/share/mozilla/extensions/{ec8030f7-c20a-464f-9b0e-13a3a9e97384}/perspectives at cmu.edu
Package: xul-ext-perspectives
Status: enabled

Name: Readability
Location: ${PROFILE_EXTENSIONS}/readability at readability.com.xpi
Status: enabled

Name: Report Pedophile
Location: ${PROFILE_EXTENSIONS}/reportpedophile at internetpredatortracker.com
Status: enabled

Name: uBlock
Location: ${PROFILE_EXTENSIONS}/{2b10c1c8-a11f-4bad-fe9c-1c11e82cac42}.xpi
Status: enabled

Name: URL Fixer
Location: ${PROFILE_EXTENSIONS}/{0fa2149e-bb2c-4ac2-a8d3-479599819475}.xpi
Status: enabled

Name: User Agent Overrider
Location: ${PROFILE_EXTENSIONS}/useragentoverrider at qixinglu.com.xpi
Status: enabled

Name: WOT
Location: ${PROFILE_EXTENSIONS}/{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}
Status: enabled

Name: YouTube High Definition
Location: ${PROFILE_EXTENSIONS}/{7b1bf0b6-a1b9-42b0-b75d-252036438bdc}.xpi
Status: enabled

-- Plugins information
Name: Gnome Shell Integration
Location: /usr/lib/mozilla/plugins/libgnome-shell-browser-plugin.so
Package: gnome-shell
Status: disabled

Name: Skype Buttons for Kopete
Location: /usr/lib/mozilla/plugins/skypebuttons.so
Package: kopete
Status: enabled


-- Addons package information
ii  gnome-shell    3.16.3-1     amd64        graphical shell for the GNOME des
ii  iceweasel      38.1.0esr-3  amd64        Web browser based on Firefox
ii  kopete         4:4.14.1-2   amd64        instant messaging and chat applic
ii  xul-ext-nosqui 2.1.9-3      all          control the size of text of websi
ii  xul-ext-perspe 4.6.2-1      all          verify HTTPS sites through notary

-- System Information:
Debian Release: stretch/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.0.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages iceweasel depends on:
ii  debianutils               4.5.1
ii  fontconfig                2.11.0-6.3
ii  libasound2                1.0.29-1
ii  libatk1.0-0               2.16.0-2
ii  libc6                     2.19-19
ii  libcairo2                 1.14.2-2
ii  libdbus-1-3               1.8.20-1
ii  libdbus-glib-1-2          0.102-1
ii  libevent-2.0-5            2.0.21-stable-2
ii  libffi6                   3.2.1-3
ii  libfontconfig1            2.11.0-6.3
ii  libfreetype6              2.5.2-4
ii  libgcc1                   1:5.1.1-14
ii  libgdk-pixbuf2.0-0        2.31.5-1
ii  libglib2.0-0              2.44.1-1.1
ii  libgtk2.0-0               2.24.28-1
ii  libhunspell-1.3-0         1.3.3-3
ii  libnspr4                  2:4.10.8-2
ii  libnss3                   2:3.19.2-1
ii  libpango-1.0-0            1.36.8-3
ii  libsqlite3-0              3.8.11.1-1
ii  libstartup-notification0  0.12-4
ii  libstdc++6                5.1.1-14
ii  libvpx2                   1.4.0-4
ii  libx11-6                  2:1.6.3-1
ii  libxcomposite1            1:0.4.4-1
ii  libxdamage1               1:1.1.4-2+b1
ii  libxext6                  2:1.3.3-1
ii  libxfixes3                1:5.0.1-2+b2
ii  libxrender1               1:0.9.8-1+b1
ii  libxt6                    1:1.1.4-1+b1
ii  procps                    2:3.3.10-2
ii  zlib1g                    1:1.2.8.dfsg-2+b1

Versions of packages iceweasel recommends:
ii  gstreamer1.0-libav         1:1.4.5-dmo1
ii  gstreamer1.0-plugins-good  1.4.5-2+b1

Versions of packages iceweasel suggests:
pn  fonts-mathjax          <none>
pn  fonts-oflb-asana-math  <none>
pn  fonts-stix | otf-stix  <none>
ii  libcanberra0           0.30-2.1
ii  libgnomeui-0           2.24.5-3
ii  libgssapi-krb5-2       1.13.2+dfsg-2
pn  mozplugger             <none>

-- no debconf information

More information about the pkg-mozilla-maintainers mailing list